Full letter: https://consumersunion.org/wp-content/uploads/2017/09/CU-letter-to-Equifax-9.14.17.pdf What Equifax Should Do 1. Pay for credit freezes. “Consumers who wish to freeze their credit in response to Equifax’s announced breach still must pay to freeze their records with other major credit bureaus in order to make the freeze effective. We urge Equifax to pay any fees associated with credit freezes at other credit bureaus so that consumers can prevent their data from being improperly used in connection with other credit bureau records,” Consumers Union said. 2. Extend credit monitoring for affected consumers. Consumers Union points out that Equifax has offered affected consumers “only one year of credit monitoring and, following public outcry, a limited and narrow opportunity to obtain a free credit freeze.” Because risks to consumers due to this breach are not limited to one year, Consumers Union demands that "Equifax should extend credit monitoring indefinitely for all consumes potentially affected by the breach." 3. Provide more detailed information about the security incident. Consumers Union says the company provided “inadequate and unreliable information” about which consumers were victimized and what data was compromised, limiting consumers’ ability to take steps to protect themselves. "To prevent further harm to consumers seeking to protect themselves, Equifax must upgrade its tool to provide more detailed information about precisely what types of data were breached for each affected consumer," Consumers Union said. 4. Remove all mandatory arbitration clauses. Equifax has been criticized for forcing victims visiting its site to waive their right to sue the company. Equifax says that it has corrected this issue, but Consumers Union says the remedy is confusing and insufficient. “Equifax has repeatedly changed its story about whether and how the mandatory arbitration clause impacts consumers,” the letter said. For example, after Equifax said its arbitration clause was moot, Consumers Union notes that another—broader—arbitration clause remained in effect. According to Consumers Union, Equifax is now saying that none of these clauses will apply to consumers harmed by the data breach or who sign up for credit monitoring services. However, the clauses remain in print and, Consumers Union says, “it’s unclear whether or how they could still be used to prevent consumers from having their day in court.” 5. Commit to hiring and training sufficient staff to review and process disputes promptly. “Given the enormity of the exposure, Equifax needs to be prepared for a deluge of problems and must have sufficient resources on hand to resolve these problems quickly and effectively,” Consumers Union said. “The company should not wait for these problems to pile up and then address a mounting backlog.” 6. Set aside a fund to compensate consumers whose data has been exposed. “Equifax has an obligation to American consumers to compensate them for the injury they may incur for years to come. Accordingly, Equifax should create a substantial and dedicated reserve account to compensate consumers affected by this breach,” Consumers Union wrote. 7. Investigate allegations of insider trading and hold wrongdoers accountable. “The company does not appear to have fully investigated—and certainly has not explained to the public—the sales of stock by three executives just prior to public announcement of the breach,” Consumers Union said. "The timing of these sales—a handful of days after the initial uncovering of a massive security incident—raises major red flags. However, Equifax’s initial reaction was disappointing and troubling: first, its press statement sought to minimize the scope of $2 million in sales as 'small.' Second, rather than stating an intention to investigate the issue, Equifax casually and summarily dismissed the allegation of trading on nonpublic information with no apparent inquiry at all—much less a rigorous one." Consumers Union says that Equifax should immediately act to preserve all documents and communications of the executives in question, and commit to an independent investigation of the possibility of insider trading. What's Next The letter concludes with an acknowledgment of the magnitude of the fast-moving situation, but stresses that “the consumers injured by this breach should be the company’s first and foremost priority, and Equifax should commit to their protection and to making them whole.” The Equifax CEO is scheduled to testify before the House Energy and Commerce committee on October 3. That committee has jurisdiction over the Federal Trade Commission and Consumer Financial Protection Bureau, the agencies responsible for regulating data security. On Thursday the FTC announced that it had launched an investigation into the Equifax breach. "The FTC typically does not comment on ongoing investigations. However, in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach," Peter Kaplan, the FTC’s Acting Director of Public Affairs, told Consumer Reports in an email. Also, Connecticut Attorney General George Jepsen has announced that his office has initiated a formal multi-state investigation into the breach.
aww lawd! http://www.bbc.com/news/technology-41257576 Equifax had 'admin' as login and password in Argentina
The Apache vulnerability that was exploited had been patched back in March. Some researcher found it and a patch was released the next day (again, back in March). Equifax failed to apply the update.
"Another Coverup? Equifax Accused Of Scrubbing That Its Chief Security Officer Was A Music Major" http://www.zerohedge.com/news/2017-...ub-its-chief-security-officer-was-music-major
http://www.marketwatch.com/story/eq...he-companys-chief-security-officer-2017-09-15 When Congress hauls in Equifax CEO Richard Smith to grill him, it can start by asking why he put someone with degrees in music in charge of the company’s data security. And then they might also ask him if anyone at the company has been involved in efforts to cover up Susan Mauldin’s lack of educational qualifications since the data breach became public. It would be fascinating to hear Smith try to explain both of those extraordinary items. If those events don’t put the final nails in his professional coffin, accountability in the U.S. is officially dead. And late Friday Equifax said both Mauldin and the company’s chief information officer have retired effective immediately. Susan Mauldin’s LinkedIn page was made private and her last name replaced with “M.” Equifax “Chief Security Officer” Susan Mauldin has a bachelor’s degree and a master of fine arts degree in music composition from the University of Georgia. Her LinkedIn professional profile lists no education related to technology or security. This is the person who was in charge of keeping your personal and financial data safe — and whose apparent failings have put 143 million of us at risk from identity theft and fraud. It was revealed this week that the massive data breach came due to a software vulnerability that was known about, and should have been patched, months earlier. I emailed Equifax’s multiple media relations people but have not heard back. I was tipped off to this by a contact on Twitter. There has been very little coverage so far of Susan Mauldin’s background and training. Given the ongoing disaster of the hack and Equifax’s handling of the affair, the media spotlight has so far been elsewhere. Reporting by a few tech-savvy blogs has found that as soon as the Equifax data breach became public, someone began to scrub the internet of information about Mauldin. Her LinkedIn page was made private and her last name replaced with “M.” Two videos of interviews with Mauldin have been removed from YouTube. A podcast of an interview has also been taken down. Unhappily for the scrubbers, the internet archives some material and a transcript of one interview has survived. To play devil’s advocate, Mauldin does at least have 14 years’ private-sector experience since getting her degrees. Music, to stretch the point as far as possible, is an academic subject that can be highly mathematical. The question is how far any of this can take you in this field if you don’t have a formal education in technology. Mauldin’s counterparts at Equifax’s two biggest competitors, TransUnion and Experian studied computers and science, respectively. In an interview I found, Mauldin said that in recruiting, “[w]e’re looking for good analysts, whether it’s a data scientist, security analyst, network analyst, IT analyst, or even someone with an auditing degree. ... Security can be learned.” But she also said she focuses college recruitment, understandably, on “universities that have programs in security, cyber security, or IT programs with security specialties.” She did not mention music composition. Everything about this fiasco just gets more and more surreal.
Oh Equifax, can we even count the ways you fuck up? Equifax tweeting link to phishing site I knew there would be phishing sites set up for common misspellings of the address (luckily this one was benign), but who would have thought Equifax would be the one sharing the link.
My pet and somewhat provacative theory is this. There are two types of people interested in computers. The first group won enough of the genetic lottery that they can do a good job of coding, so they learn that and get a job coding with the commiserate salary that comes with the current shortage of people who can write good code. The second group just doesn't quite have the intellect for that, they become "IT professionals" Before you get too upset, there are extremely intelligent IT professionals and extremely dumb software developers but they are a minority of both groups (The dumb developers write the bad code that is easily hacked). Most "IT professionals" don't really understand how software works internally, so as a result they just memorize a bunch of rules they were taught and mindlessly implement them. I have no doubt Equifax's IT department did a smashup job of ensuring everyone changed their password once a month to a 15 character unintelligible string that included special characters but not & or $ with almost religious fervor. That was perfect for protecting against an NSA Cray supercomputer brute force cracking attack. But they didn't actually know why they were doing it in the first place and that wasn't the risk they were facing. Meanwhile if someone who actually knew how their code was written was actively trying to find vulnerabilities in it every day, they certainly would have fixed the known problem they had. The point companies decide they should hire developer level intellects to do security is the point where most of the stupid crap we all put up with under the name of "cyber" security goes away and systems actually become more secure. BTW isn't "cyber" so 1999? Pretty much any time I see it I can tell that someone who knows FA about software, probably over the age of 50, is driving that train.